CVE-2026-23457
Analyzed Analyzed - Analysis Complete
Integer Overflow in Linux netfilter nf_conntrack_sip Causes Parsing Error

Publication date: 2026-04-03

Last updated on: 2026-05-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23457
EUVD
EUVD-2026-18714
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 2.6.34 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where the nf_conntrack_sip module correctly handles the Content-Length header by using an unsigned long type and rejecting invalid values.

Therefore, the immediate step to mitigate this vulnerability is to apply the latest Linux kernel updates or patches that include this fix.

Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nf_conntrack_sip module. The function sip_help_tcp() parses the SIP Content-Length header using simple_strtoul(), which returns an unsigned long value. However, the result is stored in an unsigned int variable named clen. On 64-bit systems, if the Content-Length value exceeds the maximum value of an unsigned int (UINT_MAX), it gets silently truncated.

For example, a Content-Length value of 4294967328 (which is 2^32 + 32) is truncated to 32. This causes the parser to miscalculate the boundary of the SIP message, leading the loop to mistakenly treat trailing data in the TCP segment as a second SIP message and process it incorrectly through the SDP parser.

The fix involved changing the clen variable to unsigned long to match the return type of simple_strtoul() and rejecting Content-Length values that exceed the remaining TCP payload length.

Impact Analysis

This vulnerability can cause the SIP message parser to misinterpret the boundaries of SIP messages due to truncation of the Content-Length header value. As a result, trailing data in a TCP segment may be incorrectly processed as a separate SIP message.

Such misinterpretation could lead to incorrect processing of network traffic, potentially causing unexpected behavior in SIP communications, which might be exploited to disrupt services or cause denial of service conditions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart